On the day that Oracle released its new 11g Database, I went along to the Arsenal Emirates Stadium to attend the Fusion event hosted by Oracle.
Access all the event content here. Oracle have also referred to this site for further fusion information.
The calendar consisted of Keynote speakers, breakout sessions, demo booths, a selling spiel by Herr Doktor Fujitsu Siemens and clues for the future direction.
Having planned to attend the Content and Collaboration session, I switched after realizing that the presenter (Binesh Lad) was the chap who had presented a session I attended in Birminham on 4th June 2007. After a quick word with him, I moved to the GRC (Governance, Risk and Compliance) breakout session. Let’s be honest, it’s not the most exciting of subject…
It was billed as: “maximise the value of information assets whilst reducing the costs and complexities associated with achieving, managing and maintaining regulatory compliance”
Key areas
- Identity Management
- Content management
- Business Process Management
- Drive segregation of duties into the database
- Access control via single sign-on
- Use the Stellent role-based access control
- Ensure that the key KPI of employee satisfaction is measured
Identity Governance Framework (IGF)
This is a recent initiative that includes Oracle, see here for more information. This also mentions AAPML and CARML protocols. Essentially,The Identity Governance Framework (IGF) is an open initiative to address governance of identity related information across enterprise IT systems. Considering the number of acquisitions that the Big O has made recently, this is absolutely necessary. They need a way for all the apps to ensure that there is a common method of ensuring access control.Mention was made of Identity Analytics for compliance reporting which seems to be a product of Siebel Analytics…let’s see what this means.
Presentation by Matt Luscombe from Deloittes, Heads of Oracle Security & Controls team within the UK Security & Privacy practice.
He showed the maturity model to demonstrate where an organisation may fit:
- Nothing
- spreadsheet-based
- Automated
- Sustained compliance
- True vision
From the perspective of an auditor (which he is), they are looking for:
Authentication (log-on)
- User provisioning – starters, movers and leavers
- Weak password control
- shared or generic user accounts (sysadmin, dba)
Authorisatition (priviledges)
- Sysadmin availability
- Developer access
- Segregation of duties
Deloittes survey showed that 1/3 of users have priviledges that could allow fraud and there were large numbers of conflicting priviledges.
Auditing
- Audit logs rarely reviewed. (What to do with all that log data? Article here).
- Exceptional activities were not acted-upon
The benefits of implementing GRC
- Financial
- Assurance – confidence in system controls
- visibility
Common concerns of GRC
- Difficult/expensive
- fear of new products
- little prior experience in implementing tools
Presentation by Geoff Sweeney, Chief Technology Officer Tier3.
Emphasises the need to be Proactive. Why?
- Identify risks in advance. Reduces response time to threats.
- Minimise business impact
- protect shareholder value
- avoid fines
- protect reputation
Examples of reactive consequences
Fidelity National Information Services 2.3 m personal records stolen
TK Maxx 45m credit card information stolen (and probably much more)
DuPont Trade secrets theft valued at $400m
Nordea Bank $1.m fraud through trojan
Current Approach
- Many solutions which are unmanageble
- Pre-defined rule and known-threat based (firewalls, anti-virus)
- Perimeter origin focus; stop everything coming from the outside. What about data leaking out from employees?
- Reactive
Enterprise Anomaly Management
Much of the risk lies internally.
- Profile the usage of all assets
- Allows highlight of unusual events
- Use tools to highlight peaks of unusual activity as it occurs
Presentation by Daniel Roberts, Security Solutions Lead Oracle.
He showed the long list of Oracle applications in the GRC space. The areas (not apps) are:
- Risk & Compliance Management
- Controls Management
- Policy Management
- Content Management
- Identity & Access Management
- Change Management
- Risk & Control Intelligence
- Operational Intelligence
- Performance Management
- Data Audit
- Data Security
Key Solutions
- data privacy
- HR-driven Identity Management
- Trusted on-line services
- Sustainable regulatory compliance
- proactive information risk management
- Identity infrastructure consolidation
Lunch with a few small booths with Oracle and partners selling their wares. In particular, had a chat with eclectic who are BI specialists.
Fusion Middleware future directions
Presentation by Andrew Sutherland, Vice President, Technology, EMEA at Oracle
He knows his stuff, does Andrew. The core future principles are:
- Web 2.0
- Rapid Assembly
- Adaptable
- This means that software should be a service which is ‘hot-pluggable’.
- As it is web-based, security is the top priority.
- The ability to separate the maintenance of the database from data access is vital.
